Hello everyone,
I've got a problem with my DMZ zone, and I'm not sure how to solve it. Right now when I'm connection my laptop to port ge-0/0/2 I'm getting nothing, I can't ping gateway, I cannot access internet etc.
I'm not sure if that's possible but on local network I would like to allow to only ping a gateway and that's it, so someone from IP 10.0.2.5 will not access 10.0.2.6. According to the internet access I would like to access everything from DMZ but allow only specific port to DMZ.
So what I did (not sure if correct) I have created a pool per IP address, so for example pool dmz55 is assigned to IP 10.0.2.2 which is assigned to my public IP address 5.2*.***.55.
I'm also not sure about the policies for DMZ I believe that I can't do source-address any; destination-address any; application any; because each local IP address will be assigned the public.
My config:
## Last changed: 2015-04-06 22:09:53 BST
version 12.1X44-D35.5;
system {
host-name srx;
time-zone Europe/London;
root-authentication {
encrypted-password "******************************"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user access {
uid 2000;
class super-user;
authentication {
encrypted-password "*********************"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface [ vlan.0 ge-0/0/1.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 176.58.109.199;
}
}
interfaces {
ge-0/0/0 {
description internet;
unit 0 {
family inet {
address 5.2*.***.54/29;
}
}
}
ge-0/0/1 {
description lan;
unit 0 {
family inet {
address 10.0.1.1/24;
}
}
}
ge-0/0/2 {
description DMZ;
unit 0 {
family inet {
address 10.0.2.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 5.2*.***.53;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set lan-to-internet {
from zone lan;
to zone internet;
rule lan-to-internet-r1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set dmz-to-internet {
from zone DMZ;
to zone internet;
rule dmz-to-internet-r1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dmz55 {
address 10.0.2.2/32;
}
pool dmz56 {
address 10.0.2.3/32;
}
pool dmz57 {
address 10.0.2.4/32;
}
rule-set internet-to-dmz {
from zone internet;
rule internet-to-dmz-2-1 {
match {
destination-address 5.2*.***.55/32;
destination-port 80;
protocol [ tcp udp ];
}
then {
destination-nat pool dmz75;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
5.2*.***.55/32;
5.2*.***.56/32;
5.2*.***.57/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone lan to-zone internet {
policy wan-to-internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone internet {
interfaces {
ge-0/0/0.0;
}
}
security-zone lan {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone DMZ {
interfaces {
ge-0/0/2.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}